Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Terror Exploit Kit? More like Error Exploit Kit

Q: What does it take to create a simple, yet fully functioning exploit kit?

A: Just a little bit of determination.

A few weeks ago a website popped up on our radar: www[.]***empowernetwork[.]com

This web site, like many others in our telemetry, is launching an infection campaign but its naïve and direct approach made it stand out among the others:

  1. Attackers usually host exploits on subdomains (domain shadowing) that point to their own servers and are unrelated to the main domain. However, in this case all the exploits are hosted on the main domain.
  2. Experienced attackers don't allow direct request to their landing page. They use several evasion and detection techniques, such as referrer checks, before serving any exploits. In this case however a direct request to the landing page will return a bunch of unconditional exploits (also known as "Carpet Bombing" – previously seen with Sundown EK and other mediocre exploit kits).

Taking a quick look at it revealed something interesting yet worrying: a full-blown exploit kit was deployed on this web site. There were 8 different operational exploits in this kit when we first observed it:

CVE-2014-6332 - Internet Explorer
CVE-2016-0189 - Internet Explorer
CVE-2015-5119 - Adobe Flash
CVE-2015-5122 - Adobe Flash
CVE-2013-1670/CVE-2013-1710 - Firefox
CVE-2014-1510/CVE-2014-1511 - Firefox
CVE-2014-8636 - Firefox
CVE-2015-4495 - Firefox

Here's a quick look at the landing page as it looked at the time of our analysis:

 

ie1.html => publicly available CVE-2014-6332 IE Exploit
ie2.html => publicly available CVE-2016-0189 IE Exploit
ie3.html => publicly available CVE-2014-6332 IE Exploit, again
firefox1.js => CVE-2013-1670/CVE-2013-1710 from metasploit + obfuscation
firefox2.js => CVE-2014-1510/CVE-2014-1511 from metasploit + obfuscation
firefox3.js => CVE-2014-8636 from metasploit + obfuscation
firefox4.html => CVE-2015-4495 from metasploit
mozilla.html => CVE-2013-1670/CVE-2013-1710 from metasploit
flash1.swf => CVE-2015-5122 from hacking team
flash2.swf => CVE-2015-5119 from hacking team

Additionally, there were 8 exploits which were commented out:

adobe1.html => sadjhg12390.swf (md5: 4984c607b8f40c3dce221f4d9c849530) => CVE-2015-3105 from metasploit. In fact, the md5 is an exact match for the Hunter EK sample.

adobe2.html => 123kappa123.swf (md5: 6b2befdd397c9032fcc01b73e6797126) => CVE-2015-5122 From Sundown/Hunter which is the exploit from metasploit obfuscated with secureSWF

adobe3.html => aakj1678jasdhbgty.swf (md5: ddf6fcbc721eab9bb220e862995f087b) => poc2.flv => CVE-2015-3113 from metasploit, although the md5 is exactly as in Hunter EK

adobe4.html => 360a296ea1e0abb38f1080f5e802fb4b => CVE-2014-0515 same md5 as sundown, this is the metasploit exploit obfuscated with Leawo SWF Encrypt and SWF Defender

adobe5.html => 1493f0e60aca5bcc753405d96c739bb4 => CVE-2015-3090 from metasploit, although the md5 is exactly as in Hunter EK

adobe6.html => 3930b19ce86a4a5545c8deb0c94990b5 => CVE-2015-0359 from metasploit, although the md5 is exactly as in Hunter EK

adobe7.html => d11a10ea60a2b8c01e7a2b620723471a => CVE-2015-0311 from Hunter EK

m3.class => CVE-2013-2465 from Hunter EK

Since this kit is a work in progress, we can assume that they have commented out the exploits either due to the fact that they haven't been fully tested yet, or because they are outdated and the author found the 8 current exploits to be sufficient.

Over the past year the exploit kit market has suffered a big blow due to the disappearance of some big players like Angler, Neutrino and Nuclear. In this context it makes sense that we see small initiatives of cyber criminals who try to fill the vacuum by orchestrating DIY exploit kits using Metasploit's ready-to-use exploits.

As we were examining the exploits we found them to be a little too familiar. This is because all the exploits are a nice combination of Metasploit exploits and exploits stolen from other kits. The stolen exploits are from either Sundown or Hunter EK's during their early stages when the two kits were almost identical and stole exploits from each other. We also saw the publicly available Hacking Team's flash exploit and the publicly available IE CVE-2016-0189 exploit as part of the kit.

After starting our investigation we realized that this website is not compromised, but rather is a clone of a real site (http://www.empowernetwork.com/) and that the author simply added the "kit" to the domain name.

Further investigation of this IP revealed older traces that we followed back to an IP (54.187.245.84) which was once tied to a domain by the name: terrorexploitkit[.]hopto[.]org. Are we witnessing the formation of a new exploit kit - "Terror Exploit Kit"?

When we first encountered the kit the landing page URL was:

kitempowernetwork [.]com/test/test.html

However, this page doesn't exist anymore.

The current landing page URL is:

kitempowernetwork [.]com/test1/test.php

Even more surprising, is the fact we have found that there are two URL's that redirect to Sundown landing page:

empowernetworkpackage[.]com/test/test.php & empowernetworkpackage[.]com/test2/test.php

 

 

We don't know why the author did this. However, we can speculate that they might have used that as a "backup" mechanism for victims they couldn't exploit successfully. Sort of "I'll try on my own first, and if not successful I'll hand it off to more experienced criminals" approach.

As for the payloads, the payload that we observed from the kit in the first encounter was a dropper that would download ccminer. ccminer gets its configuration from pastebin & github.

The payload from Sundown was another dropper with a different md5, perhaps crypted to avoid detection, but the end results was the same - the dropper would connect to either github/pastebin to get the url of the miner to download and execute it.

Side note: the droppers and the miners are 64bit only executables.

 

The miner is set to mine the "Monero" cryptocurrency, which recently increased in value due to its adoption in several underground black markets.

The IP address of kitempowernetwork[.]com is 149.202.164.86, we have noticed more domains being registered under this IP. Daily changes in GitHub suggest that this kit or whatever it is, is under continuous development, so it is likely will see some more changes in the near future.

 

But wait, there's more! Just as we were about to publish the blog we noticed some new changes in Terror EK. A New Year's resolution to improve, perhaps?

The landing page has been totally rewritten and it is sort of an un-obfuscated Sundown, an observation also made by several other researchers who have thus far been calling it a Sundown variant:

 

Malwarebytes has also written a nice blog about the payload being dropped by this latest variant of Terror EK. However the payload request from Sundown (hnt[.]e27[.]biz/z[.]php?id=215), which caused some of the confusion about this kit, appears to be simply bad copy & paste work from the Terror EK author. It fails to fetch the payload from the Sundown server. The actual payload of Terror EK is "oq2.data" as seen in Malwarebytes fiddler image.

This new landing page has all the exploits in it, instead of making iframes to individual exploits, however the number of exploits is much more limited:

CVE-2013-2551
CVE-2014-6332
CVE-2015-7645
CVE-2016-4117

In fact, it looks like the author stole Sundown exploits after trying out the kit for a few weeks. This can be seen by the "style" of the exploit code and the fact that the exploit for CVE-2016-4117 is exactly the same one we described in our post about Sundown a while back. The only difference is that the exploit in Terror EK had another layer of obfuscation added by dcomsoft SWF Protector.

After tracking this kit for over a month, we strongly suspect that this is a one-man operation. Crypto mining is not that profitable, however for a one-man operation this is a good solution. Once the host is infected and as long as it keeps running the miner, you profit. No hassle whatsoever.

At the moment the attacker's subscription to Sundown has ended and they haven't made changes in github for the last two weeks, though they do continue to register new domains. Given that there is a lot of chatter in the underground from people looking to buy client side exploits and the creation of new exploit kits, there is clearly high demand and scarce supply for these in the market. Given this, we might see this kit continue to evolve or similar DIY kits popping up at any time.

Trustwave customers are protected against the Terror Exploit Kit and other exploit kits.

This blog post was co-authored by Simon Kenin and Arseny Levin.

Thanks to Rami Kogan and Anat Davidi for their contribution to the research described in this post.

IOCs:

IPs:
54.187.245.84
149.202.164.86
158.69.80.197
158.69.86.203
158.69.87.196
185.81.167.70

Domains:
terrorexploitkit[.]hopto[.]org

MD5s:
Ccminers:
78c032fa028635faa07e7eb66dcd4b9d (downloadupdate1.exe)
dd83305f50c8250f4d94d65402f357b7 (downloadupdate2.exe)
ca0098a21d931d287873c222b29ace07 (downloadupdate.exe)

Droppers:
94418ccb9f0f18fb4420d7aeb613878a (q.php.htm.exe)
300f81780c1b583014092cba8ea765bb (from Sundown)

Latest SpiderLabs Blogs

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More